Defcon 16: MIT Boston transit presentation gagged

[Zack Anderson], [RJ Ryan], and [Alessandro Chiesa] were sued by the Massachusetts Bay Transit Authority for an alleged violation of the Computer Fraud and Abuse Act after copies of their presentation slides were circulated at Defcon 16. The slides give an eye widening glimpse into the massive security holes present in the Boston subway system. There are at least 4 major security flaws in the subway, which allowed them to get free subway rides by finding unlocked, back door routes into the subway, spoofing magnetic and RFID cards, and attacking the MTBA’s network. Judge Douglas P. Woodlock has issued a gag order, stopping the trio from giving the presentation at Defcon or disclosing sensitive information for ten days. However, the MIT school newspaper, The Tech, has published a PDF of the slides online. The research culminated in the trio warcarting the MTBA’s headquarters and being driven off by police.

13 thoughts on “Defcon 16: MIT Boston transit presentation gagged”

“We have a bunch of security vulnerabilities, but are too lazy to be bothered with them, so shut up. Don’t let the public know that they’re being screwed. If you do, we’ll take you to court. Yeah, I told you to shut up, but you didn’t listen, so now I’ll court-order you to stop talking. Our problems don’t exist!” Yet another reason I don’t like Boston.

Let’s give thanks to the EFF for staying up all night and attempting to fight this gag order over the last 24 hours. Although they failed, the EFF is continuing to fight for these students right to speak.

I think the real problem is they went beyond simply finding the vulns. They *applied* them. This puts them in a very sticky legal situation, especially since their own slides act as admission of guilt.

Yeah, but the application of the exploits acts as a proof of concept. If these vulnerabilities were ignore-able, the transit authority wouldn’t have fought so hard to shut the kids up. If they didn’t actually apply the exploits, it becomes the kids’ word against the transit authority’s. The fact that they applied the exploits proves to everyone that the vulerabilities actually exist. Let’s just hope this whole ordeal acts as a wake-up call to the transit authority, as it very well should. But it’s Boston, so there’s a good chance it won’t. (Remember, same place a bunch of LED’s thrown together on a PCB was misconstrued as a bomb.)

Also I think the MBTA is taking the wrong approach here. Instead of trying to give a gag order and hide the information (which will never work) they should just hire these kids to fix the system. I mean anyone who can create a “one button party mode”(http://web.mit.edu/zacka/www/midas.html) for their dorm room can fix these problems.

Unfortunately, that’s the way most of these things work. When does a stoplight get installed at a busy and dangerous intersection? When enough people are injured or killed. I don’t see this being any different. Now I realize this was a few year ago now so please, someone prove me wrong, show me that they actually bothered to fix the problems, and not just leave it with attacking the MIT students.